--- layout: docs page_title: Consul API Gateway Gateway description: >- This topic descrbes how to configure the Consul API Gateway Gateway object --- # Gateway This topic provides full details about the `Gateway` resource. ## Introduction A `Gateway` is an instance of network infrastructure that determines how service traffic should be handled. A `Gateway` contains one or more `listeners` that bind to a set of IP addresses. An `HTTPRoute` or `TCPRoute` can then attach to a gateway listener to direct traffic from the gateway to a service. Gateway instances derive their configurations from the [`GatewayClass`](/docs/api-gateway/configuration/gatewayclass) resource, which acts as a template for individual `Gateway` deployments. Refer to [GatewayClass](/docs/api-gateway/configuration/gatewayclass) for additional information. Specify the following parameters to declare a `Gateway`: | Parameter | Description | Required | | :----------- |:---------------------------------------------------------------------------------------------------------------------------------------------------------- |:-------- | | `kind` | Specifies the type of configuration object. The value should always be `Gateway`. | Required | | `description` | Human-readable string that describes the purpose of the `Gateway`. | Optional | | `version ` | Specifies the Kubernetes API version. The value should always be `gateway.networking.k8s.io/v1alpha2` | Required | | `scope` | Specifies the effective scope of the Gateway. The value should always be `namespaced`. | Required | | `fields` | Specifies the configurations for the Gateway. The fields are listed in the [configuration model](#configuration-model). Details for each field are described in the [specification](#specification). | Required | ## Configuration model The following outline shows how to format the configurations in the `Gateway` object. Click on a property name to view details about the configuration. * [`gatewayClassName`](#gatewayclassname): string | required * [`listeners`](#listeners): array of objects | required * [`allowedRoutes`](#listeners-allowedroutes): object | required * [`namespaces`](#listeners-allowedroutes-namespaces): object | required * [`from`](#listeners-namespaces-from): string | required * [`selector`](#listeners-allowedroutes-namespaces-selector): object | required if `from` is configured to `selector` * [`matchExpressions`](#listeners-allowedroutes-namespaces-selector-matchexpressions): array of objects | required if `matchLabels` is not configured * [`key`](#listeners-allowedroutes-namespaces-selector-matchexpressions): string | required if `matchExpressions` is declared * [`operator`](#listeners-allowedroutes-namespaces-selector-matchexpressions): string | required if `matchExpressions` is declared * [`values`](#listeners-allowedroutes-namespaces-selector-matchexpressions): array of strings | required if `matchExpressions` is declared * [`matchLabels`](#listeners-allowedroutes-namespaces-selector-matchlabels): map of strings | required if `matchExpressions` is not configured * [`hostname`](#listeners-hostname): string | required * [`name`](#listeners-name): string | required * [`port`](#listeners-port): integer | required * [`protocol`](#listeners-protocol)`: string | required * [`tls`](#listeners-tls): object | required if `protocol` is set to `HTTPS` * [`certificateRefs`](#listeners-tls): array or objects | required if `tls` is declared * [`name`](#listeners-tls): string | required if `certificateRefs` is declared * [`namespace`](#listeners-tls): string | required if `certificateRefs` is declared * [`mode`](#listeners-tls): string | required if `certificateRefs` is declared * [`options`](#listeners-tls): map of strings | optional ## Specification This topic provides details about the configuration parameters. ### gatewayClassName Specifies the name of the [`GatewayClass`](/docs/api-gateway/configuration/gatewayclass) resource used for the `Gateway` instance. Unless a custom [GatewayClass](/docs/api-gateway/configuration/gatewayclass) is being used, value should be set to `consul-api-gateway` * Type: string * Required: required ### listeners Specifies the `listeners` associated with the `Gateway`. At least one `listener` must be specified. Each `listener` within a `Gateway` must have a unique combination of `hostname`, `port`, and `protocol`. * Type: array of objects * Required: required ### listeners.allowedRoutes Specifies a `namespace` object that defines the types of routes that may be attached to a listener. * Type: object * Required: required ### listeners.allowedRoutes.namespaces Determines which routes are allowed to attach to the `listener`. Only routes in the same namespace as the `Gateway` may be attached by default. ### listeners.allowedRoutes.namespaces.from Determines which namespaces are allowed to attach a route to the `Gateway`. You can specify one of the following strings: * `All`: Routes in all namespaces may be attached to the `Gateway`. * `Same` (default): Only routes in the same namespace as the `Gateway` may be attached. * `Selector`: Only routes in namespaces that match the [`selector`](#listeners-allowedroutes-namespaces-selector) may be attached. This parameter is required. ### listeners.allowedRoutes.namespaces.selector Specifies a method for selecting routes that are allowed to attach to the listener. The `Gateway` checks for namespaces in the network that match either a regular expression or a label. Routes from the matching namespace are allowed to attach to the listener. You can configure one of the following objects: * [`matchExpressions`](#listeners-allowedroutes-namespaces-selector-matchexpressions) * [`matchLabels`](#listeners-allowedroutes-namespaces-selector-matchlabels) This field is required when [`from`](#listeners-allowedroutes-namespaces-from) is configured to `Selector`. ### listeners.allowedRoutes.namespaces.selector.matchExpressions Specifies an array of requirements for matching namespaces. If a match is found, then routes from the matching namespace(s) are allowed to attach to the `Gateway`. The following table describes members of the `matchExpressions` array: | Requirement | Description | Type | Required | |--- |--- |--- |--- | |`key` | Specifies the label that the `key` applies to. | string | required when `matchExpressions` is declared | |`operator` | Specifies the key's relation to a set of values. You can use the following keywords: | string | required when `matchExpressions` is declared | |`values` | Specifies an array of string values. If `operator` is configured to `In` or `NotIn`, then the `values` array must contain values. If `operator` is configured to `Exists` or `DoesNotExist`, then the `values` array must be empty. This array is replaced during a strategic merge patch. | array of strings | required when `matchExpressions` is declared | In the following example, routes in namespaces that contain `foo` and `bar` are allowed to attach routes to the `Gateway`. ```yaml namespaceSelector: matchExpressions: - key: kubernetes.io/metadata.name operator: In values: - foo - bar ``` ### listeners.allowedRoutes.namespaces.selector.matchLabels Specifies an array of labels and label values. If a match is found, then routes with the matching label(s) are allowed to attach to the `Gateway`. This selector can contain any arbitrary key/value pair. In the following example, routes in namespaces that have a `bar` label are allowed to attach to the `Gateway`. ```yaml namespaceSelector: matchLabels: foo: bar ``` Refer to [Labels and Selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) in the Kubernetes documentation for additional information about labels. ### listeners.hostname Specifies the `listener`'s hostname. * Type: string * Required: required ### listeners.name Specifies the `listener`'s name. * Type: string * Required: required ### listeners.port Specifies the port number that the `listener` attaches to. * Type: integer * Required: required ### listeners.protocol Specifies the protocol the `listener` communicates on. * Type: string * Required: required Allowed values are `TCP`, `HTTP`, or `HTTPS` ### listeners.tls Specifies the `tls` configurations for the `Gateway`. The `tls` object is required if `protocol` is set to `HTTPS`. The object contains the following fields: | Parameter | Description | Type | Required | | --- | --- | --- | --- | | `certificateRefs` |
Specifies Kubernetes `name` and `namespace` objects that contains TLS certificates and private keys.
The certificates establish a TLS handshake for requests that match the `hostname` of the associated `listener`. Each reference must be a Kubernetes Secret. If you are using a Secret in a namespace other than the `Gateway`'s, each reference must also have a corresponding [`ReferencePolicy`](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.ReferencePolicy).
| Object or array | Required if `tls` is set | | `mode` | Specifies the TLS Mode. Should always be set to `Terminate` for `HTTPRoutes` | string | Required if `certificateRefs` is set | | `options` | Specifies additional Consul API Gateway options. The following keys are available `api-gateway.consul.hashicorp.com/tls_min_version`, `api-gateway.consul.hashicorp.com/tls_max_version`, `api-gateway.consul.hashicorp.com/tls_cipher_suites`| Map of strings | optional | In the following example, `tls` settings are configured to use a secret named `consul-server-cert` in the same namespace as the `Gateway` and the minimum tls version is set to `TLSv1_2`. ```yaml tls: certificateRefs: name: consul-server-cert group: "" kind: Secret mode: Terminate options: api-gateway.consul.hashicorp.com/tls_min_version: "TLSv1_2" ``` ## Complete configuration The following example shows a fully configured `Gateway`. ```yaml kind: Gateway Description: This gateway enables traffic from A to B. version: gateway.networking.k8s.io/v1alpha2 scope: Namespaced fields: - name: addresses supported: false - name: gatewayClassName type: string description: Name of a GatewayClass resource used for this Gateway. - name: listeners type: array description: | Description of the listeners associated with this Gateway. items: fields: - name: allowedRoutes type: object description: | AllowedRoutes defines the types of routes that MAY be attached to a Listener and the trusted namespaces where those Route resources MAY be present. fields: - name: kinds supported: false - name: namespaces type: object description: | Description of namespaces from which routes may be attached to this Listener. This is restricted to the namespace of this Gateway by default. fields: - name: from type: string default: Same description: | From indicates where Routes will be selected for this Gateway." enum: ["All", "Selector", "Same"] - name: selector type: object description: "Selector must be specified when From is set to \"Selector\". In that case, only Routes in Namespaces matching this Selector will be selected by this Gateway." fields: - name: matchExpressions type: array description: | matchExpressions is a list of label selector requirements. The requirements are ANDed. items: fields: - name: key type: string description: | key is the label key that the selector applies to. - name: operator type: string description: | operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - name: values type: array description: | values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - name: matchLabels type: map description: | matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - name: hostname type: string description: | Hostname specifies the virtual hostname to match for HTTP or HTTPS-based listeners. When unspecified, all hostnames are matched. This is implemented by checking the HTTP Host header sent on a client request. - name: name type: string description: "Name is the name of the Listener. This name MUST be unique within a Gateway." - name: port type: integer description: "Port is the network port of a listener." - name: protocol type: string description: "Protocol specifies the network protocol this listener expects to receive." enum: ["HTTP", "HTTPS", "TCP"] - name: tls type: object description: | TLS is the TLS configuration for the Listener. This field is required if the Protocol field is "HTTPS". It is invalid to set this field if the Protocol field is "HTTP" or "TCP". fields: - name: certificateRefs type: array description: | CertificateRefs contains a series of references to Kubernetes objects that contains TLS certificates and private keys. These certificates are used to establish a TLS handshake for requests that match the hostname of the associated listener. Each reference must be a Kubernetes Secret, and, if using a Secret in a namespace other than the Gateway's, must have a corresponding ReferencePolicy created. items: fields: - name: group supported: false - name: kind supported: false - name: name type: string description: Name is the name of the Kubernetes Secret. - name: namespace type: string description: | Namespace is the namespace of the Secret. When unspecified, the local namespace is inferred. Note that when a namespace is specified, a ReferencePolicy object is required in the specified namespace to allow that namespace's owner to accept the reference. - name: mode type: string default: Terminate description: "Mode defines the TLS behavior for the TLS session initiated by the client. The only supported mode at this time is `Terminate`" enum: ["Terminate"] - name: options type: map description: | Options are a list of key/value pairs to enable extended TLS configuration for each implementation. enum: ["api-gateway.consul.hashicorp.com/tls_min_version","api-gateway.consul.hashicorp.com/tls_max_version","api-gateway.consul.hashicorp.com/tls_cipher_suites",] ```